Technical Documentation

Sniffer Mode Overview

You deploy an IDP virtual router in sniffer mode if you want to learn about security threats in your network but not disrupt connections.

In sniffer mode, the IDP appliance is not directly involved with packet flow. Based on your security policy, the device detects and logs threats in Layer 3 and Layer 2 traffic. For some attacks, the IDP appliance can send TCP resets. However, this action does not guarantee protection, as attacks might have already happened before the reset or the attacker might persist.

For a sniffer mode deployment, you connect an IDP traffic interface to a port mirror or Switched Port Analyzer (SPAN) port.

Figure 1 illustrates a sniffer mode deployment.

Figure 1: Network Diagram: Sniffer Mode

Image g036602.gif

Table 1 lists the features and the limitations of sniffer mode.

Table 1: Sniffer Mode: Features and Limitations

Features

Limitations

  • Replaces the current intrusion detection with minimal effort
  • Does not create an additional point-of-failure gateway
  • Detects attacks according to your security policy rules

  • Performs the following security policy actions:

    • Close Client and Server
    • Close Client
    • Close Server
    • IP Close
    • IP Notify
  • Requires a hub or the SPAN port of a network switch

  • Cannot perform the following security policy actions:

    • Drop Packet
    • Drop Connection
    • Mark Diffserv
    • IP Block
  • Cannot perform drop actions
  • Does not inspect HTTPS traffic that requires the interdiction feature
  • Does not support SYN Protector rulebase in relay mode
  • Does not support Network Honeypot rulebase

Published: 2010-01-12